CVE-2007-4575
published 2007-12-06CVE-2007-4575: HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows user-assisted remote attackers to execute arbitrary Java code via crafted…
PriorityP348critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
14.35%
96.2th percentile
HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows user-assisted remote attackers to execute arbitrary Java code via crafted database documents, related to "exposing static java methods."
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | hsqldb | < hsqldb 1.8.0.9-1 (bookworm) | hsqldb 1.8.0.9-1 (bookworm) |
| openoffice | openoffice | <= 2.3 | — |
| openoffice | openoffice | — | — |
| openoffice | openoffice | — | — |
| openoffice | openoffice | — | — |
| openoffice | openoffice | — | — |
| openoffice | openoffice | — | — |
| openoffice | openoffice | — | — |
| openoffice | openoffice | — | — |
| openoffice | openoffice | — | — |
| openoffice | openoffice | — | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-583w-wjg4-5w8f: HSQLDB before 1
ghsa_unreviewed·2022-05-01
CVE-2007-4575 [HIGH] CWE-94 GHSA-583w-wjg4-5w8f: HSQLDB before 1
HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows user-assisted remote attackers to execute arbitrary Java code via crafted database documents, related to "exposing static java methods."
OSV
CVE-2007-4575: HSQLDB before 1
osv·2007-12-06·CVSS 9.3
CVE-2007-4575 [CRITICAL] CVE-2007-4575: HSQLDB before 1
HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows user-assisted remote attackers to execute arbitrary Java code via crafted database documents, related to "exposing static java methods."
Ubuntu
OpenOffice.org vulnerabilities
vendor_ubuntu·2008-05-06·CVSS 9.3
CVE-2007-5745 [CRITICAL] OpenOffice.org vulnerabilities
Title: OpenOffice.org vulnerabilities
Summary: OpenOffice.org vulnerabilities
It was discovered that arbitrary Java methods were not filtered out when
opening databases in OpenOffice.org. If a user were tricked into running
a specially crafted query, a remote attacker could execute arbitrary
Java with user privileges. (CVE-2007-4575)
Multiple memory overflow flaws were discovered in OpenOffice.org's
handling of Quattro Pro, EMF, and OLE files. If a user were tricked
into opening a specially crafted document, a remote attacker might be
able to execute arbitrary code with user privileges. (CVE-2007-5745,
CVE-2007-5746, CVE-2007-5747, CVE-2008-0320)
Instructions: After a standard system upgrade you need to restart OpenOffice.org to effect
the necessary changes.
Red Hat
OpenOffice.org-base allows Denial-of-Service and command injection
vendor_redhat·2007-12-04·CVSS 9.3
CVE-2007-4575 [CRITICAL] OpenOffice.org-base allows Denial-of-Service and command injection
OpenOffice.org-base allows Denial-of-Service and command injection
HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows user-assisted remote attackers to execute arbitrary Java code via crafted database documents, related to "exposing static java methods."
Debian
CVE-2007-4575: hsqldb - HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows us...
vendor_debian·2007·CVSS 9.3
CVE-2007-4575 [CRITICAL] CVE-2007-4575: hsqldb - HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows us...
HSQLDB before 1.8.0.9, as used in OpenOffice.org (OOo) 2 before 2.3.1, allows user-assisted remote attackers to execute arbitrary Java code via crafted database documents, related to "exposing static java methods."
Scope: local
bookworm: resolved (fixed in 1.8.0.9-1)
bullseye: resolved (fixed in 1.8.0.9-1)
forky: resolved (fixed in 1.8.0.9-1)
sid: resolved (fixed in 1.8.0.9-1)
trixie: resolved (fixed in 1.8.0.9-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2007-4575 OpenOffice.org-base allows Denial-of-Service and command injection
bugzilla·2007-09-21·CVSS 9.3
CVE-2007-4575 [CRITICAL] CVE-2007-4575 OpenOffice.org-base allows Denial-of-Service and command injection
CVE-2007-4575 OpenOffice.org-base allows Denial-of-Service and command injection
OpenOffice.org-base allows to execute arbitrary static public java methods.
This can be misused by a remote attacker to send a victim a handcrafted odb files.
The odb file execute these commands in the database bootstrap phase.
Furthermore an unprivileged user can extend his privileges by using aliased
methods.
Discussion:
But is this really OOo, or is it hsqldb. Would sure be a whole lot easier to
remove this foo from hsqldb, let me just talk to the Sun database developers
about this CALL "java" stuff
---
just putting the hsqldb guys on CC this in the interim
---
ok, hsqldb people and the OOo database people have been informed and we all
reckon it's a problem that needs fixing, though we can't quite c
Bugzilla
CVE-2007-4575 HSQLDB DoS and information disclosure
bugzilla·2007-09-20·CVSS 9.3
CVE-2007-4575 [CRITICAL] CVE-2007-4575 HSQLDB DoS and information disclosure
CVE-2007-4575 HSQLDB DoS and information disclosure
Description of problem:
The HSQLDB service in various products is vulnerable to DoS and
information disclosure.
Version-Release number of selected component (if applicable):
1.8.0.4-3jpp.4
How reproducible:
1) Start HSQLDB service. /sbin/service hsqldb start
(may need to change login shell for su-ing the service)
2) Connect via JDBC (f.i. with ant sql task) to port 9001 on the
machine hosting the hsqldb service
An attacker may choose an SQL statement such as
a) CALL “sun.misc.MessageUtils.toStderr†(NULL) ;
to crash the JVM running the service or
b) CALL "java.lang.System.getenv" ('PATH'); to spy for
system properties.
c) CALL "java.util.regex.Pattern.compile"
('(A+)?(A+)?(A+)?(A+)?(A+)?(A+)?(A+)?(A+)?(A+)?(A+)?(A+)?(A+)?
http://bugs.gentoo.org/show_bug.cgi?id=200771http://bugs.gentoo.org/show_bug.cgi?id=201799http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00005.htmlhttp://secunia.com/advisories/27914http://secunia.com/advisories/27916http://secunia.com/advisories/27928http://secunia.com/advisories/27931http://secunia.com/advisories/27972http://secunia.com/advisories/28018http://secunia.com/advisories/28039http://secunia.com/advisories/28286http://secunia.com/advisories/28585http://secunia.com/advisories/30100http://sunsolve.sun.com/search/document.do?assetkey=1-26-103141-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-200637-1http://www.debian.org/security/2007/dsa-1419http://www.gentoo.org/security/en/glsa/glsa-200712-25.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2008:095http://www.openoffice.org/security/cves/CVE-2007-4575.htmlhttp://www.redhat.com/archives/fedora-package-announce/2007-December/msg00134.htmlhttp://www.redhat.com/archives/fedora-package-announce/2007-December/msg00155.htmlhttp://www.redhat.com/archives/fedora-package-announce/2007-December/msg00281.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1048.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1090.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0151.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0158.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0213.htmlhttp://www.securityfocus.com/bid/26703http://www.securitytracker.com/id?1019041http://www.ubuntu.com/usn/usn-609-1http://www.vupen.com/english/advisories/2007/4092http://www.vupen.com/english/advisories/2007/4146https://exchange.xforce.ibmcloud.com/vulnerabilities/38882https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10153https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00678.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-January/msg00753.htmlhttp://bugs.gentoo.org/show_bug.cgi?id=200771http://bugs.gentoo.org/show_bug.cgi?id=201799http://lists.opensuse.org/opensuse-security-announce/2007-12/msg00005.htmlhttp://secunia.com/advisories/27914http://secunia.com/advisories/27916http://secunia.com/advisories/27928http://secunia.com/advisories/27931http://secunia.com/advisories/27972http://secunia.com/advisories/28018http://secunia.com/advisories/28039http://secunia.com/advisories/28286http://secunia.com/advisories/28585http://secunia.com/advisories/30100http://sunsolve.sun.com/search/document.do?assetkey=1-26-103141-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-200637-1http://www.debian.org/security/2007/dsa-1419http://www.gentoo.org/security/en/glsa/glsa-200712-25.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2008:095http://www.openoffice.org/security/cves/CVE-2007-4575.htmlhttp://www.redhat.com/archives/fedora-package-announce/2007-December/msg00134.htmlhttp://www.redhat.com/archives/fedora-package-announce/2007-December/msg00155.htmlhttp://www.redhat.com/archives/fedora-package-announce/2007-December/msg00281.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1048.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1090.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0151.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0158.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0213.htmlhttp://www.securityfocus.com/bid/26703http://www.securitytracker.com/id?1019041http://www.ubuntu.com/usn/usn-609-1http://www.vupen.com/english/advisories/2007/4092http://www.vupen.com/english/advisories/2007/4146https://exchange.xforce.ibmcloud.com/vulnerabilities/38882https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10153https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00678.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-January/msg00753.html
2007-12-06
Published